Accepted for/Published in: Journal of Medical Internet Research
Date Submitted: Aug 7, 2022
Open Peer Review Period: Aug 7, 2022 - Oct 2, 2022
Date Accepted: Jan 19, 2023
(closed for review but you can still tweet)
AI-based Ethical Hacking for Health Information Systems (HIS): a simulation study
ABSTRACT
Background:
Health Information systems (HIS) are continuously targeted by hackers, who aim to bring down the Health Critical Infrastructure. This study is motivated by recent attacks to healthcare organisations, such as the World Health Organisation, hospitals, and pharmaceutical companies that have resulted in the compromise of the sensitive data held in HIS.
Objective:
This research aims to provide new insights regarding HIS cybersecurity protection. We propose a novel optimized (AI-based) ethical hacking method tailored for HIS, and we compare it with traditional unoptimized ethical hacking method. It allows researchers and practitioners to identify the points of possible penetration attacks to HIS more efficiently.
Methods:
In this study, we propose a novel methodological approach to ethical hacking for HIS. We launched ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the OpenEMR (Open Electronic Medical Record) system and followed the National Institute of Standards and Technology's (NIST) ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized methods.
Results:
Ethical hacking was successful using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized one in terms of average time used, average success rate of exploit, number of exploits launched, and number of successful exploits.
Conclusions:
This research demonstrates systematic ethical hacking against HIS using optimized and unoptimized methods together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings have great significance for the healthcare sector, specifically because OpenEMR is widely adopted by healthcare organisations. Our findings offer novel insights for the protection of HIS and equips researchers toward conducting further research in the HIS cybersecurity domain.
Citation
Request queued. Please wait while the file is being generated. It may take some time.
Copyright
© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.